Rough and ready port of axTLS
ssl/x509.c@0:5a29fd060ac8, 2013-05-13 (annotated)
- Committer:
- ashleymills
- Date:
- Mon May 13 18:15:18 2013 +0000
- Revision:
- 0:5a29fd060ac8
initial commit
Who changed what in which revision?
User | Revision | Line number | New contents of line |
---|---|---|---|
ashleymills | 0:5a29fd060ac8 | 1 | /* |
ashleymills | 0:5a29fd060ac8 | 2 | * Copyright (c) 2007, Cameron Rich |
ashleymills | 0:5a29fd060ac8 | 3 | * |
ashleymills | 0:5a29fd060ac8 | 4 | * All rights reserved. |
ashleymills | 0:5a29fd060ac8 | 5 | * |
ashleymills | 0:5a29fd060ac8 | 6 | * Redistribution and use in source and binary forms, with or without |
ashleymills | 0:5a29fd060ac8 | 7 | * modification, are permitted provided that the following conditions are met: |
ashleymills | 0:5a29fd060ac8 | 8 | * |
ashleymills | 0:5a29fd060ac8 | 9 | * * Redistributions of source code must retain the above copyright notice, |
ashleymills | 0:5a29fd060ac8 | 10 | * this list of conditions and the following disclaimer. |
ashleymills | 0:5a29fd060ac8 | 11 | * * Redistributions in binary form must reproduce the above copyright notice, |
ashleymills | 0:5a29fd060ac8 | 12 | * this list of conditions and the following disclaimer in the documentation |
ashleymills | 0:5a29fd060ac8 | 13 | * and/or other materials provided with the distribution. |
ashleymills | 0:5a29fd060ac8 | 14 | * * Neither the name of the axTLS project nor the names of its contributors |
ashleymills | 0:5a29fd060ac8 | 15 | * may be used to endorse or promote products derived from this software |
ashleymills | 0:5a29fd060ac8 | 16 | * without specific prior written permission. |
ashleymills | 0:5a29fd060ac8 | 17 | * |
ashleymills | 0:5a29fd060ac8 | 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
ashleymills | 0:5a29fd060ac8 | 19 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
ashleymills | 0:5a29fd060ac8 | 20 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
ashleymills | 0:5a29fd060ac8 | 21 | * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR |
ashleymills | 0:5a29fd060ac8 | 22 | * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, |
ashleymills | 0:5a29fd060ac8 | 23 | * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, |
ashleymills | 0:5a29fd060ac8 | 24 | * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR |
ashleymills | 0:5a29fd060ac8 | 25 | * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF |
ashleymills | 0:5a29fd060ac8 | 26 | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING |
ashleymills | 0:5a29fd060ac8 | 27 | * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS |
ashleymills | 0:5a29fd060ac8 | 28 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
ashleymills | 0:5a29fd060ac8 | 29 | */ |
ashleymills | 0:5a29fd060ac8 | 30 | |
ashleymills | 0:5a29fd060ac8 | 31 | /** |
ashleymills | 0:5a29fd060ac8 | 32 | * @file x509.c |
ashleymills | 0:5a29fd060ac8 | 33 | * |
ashleymills | 0:5a29fd060ac8 | 34 | * Certificate processing. |
ashleymills | 0:5a29fd060ac8 | 35 | */ |
ashleymills | 0:5a29fd060ac8 | 36 | |
ashleymills | 0:5a29fd060ac8 | 37 | #include <time.h> |
ashleymills | 0:5a29fd060ac8 | 38 | #include <stdio.h> |
ashleymills | 0:5a29fd060ac8 | 39 | #include <stdlib.h> |
ashleymills | 0:5a29fd060ac8 | 40 | #include <string.h> |
ashleymills | 0:5a29fd060ac8 | 41 | #include "os_port.h" |
ashleymills | 0:5a29fd060ac8 | 42 | #include "crypto_misc.h" |
ashleymills | 0:5a29fd060ac8 | 43 | #include "sockets.h" |
ashleymills | 0:5a29fd060ac8 | 44 | #include "config.h" |
ashleymills | 0:5a29fd060ac8 | 45 | #ifdef CONFIG_SSL_CERT_VERIFICATION |
ashleymills | 0:5a29fd060ac8 | 46 | /** |
ashleymills | 0:5a29fd060ac8 | 47 | * Retrieve the signature from a certificate. |
ashleymills | 0:5a29fd060ac8 | 48 | */ |
ashleymills | 0:5a29fd060ac8 | 49 | static const uint8_t *get_signature(const uint8_t *asn1_sig, int *len) |
ashleymills | 0:5a29fd060ac8 | 50 | { |
ashleymills | 0:5a29fd060ac8 | 51 | int offset = 0; |
ashleymills | 0:5a29fd060ac8 | 52 | const uint8_t *ptr = NULL; |
ashleymills | 0:5a29fd060ac8 | 53 | |
ashleymills | 0:5a29fd060ac8 | 54 | if (asn1_next_obj(asn1_sig, &offset, ASN1_SEQUENCE) < 0 || |
ashleymills | 0:5a29fd060ac8 | 55 | asn1_skip_obj(asn1_sig, &offset, ASN1_SEQUENCE)) |
ashleymills | 0:5a29fd060ac8 | 56 | goto end_get_sig; |
ashleymills | 0:5a29fd060ac8 | 57 | |
ashleymills | 0:5a29fd060ac8 | 58 | if (asn1_sig[offset++] != ASN1_OCTET_STRING) |
ashleymills | 0:5a29fd060ac8 | 59 | goto end_get_sig; |
ashleymills | 0:5a29fd060ac8 | 60 | *len = get_asn1_length(asn1_sig, &offset); |
ashleymills | 0:5a29fd060ac8 | 61 | ptr = &asn1_sig[offset]; /* all ok */ |
ashleymills | 0:5a29fd060ac8 | 62 | |
ashleymills | 0:5a29fd060ac8 | 63 | end_get_sig: |
ashleymills | 0:5a29fd060ac8 | 64 | return ptr; |
ashleymills | 0:5a29fd060ac8 | 65 | } |
ashleymills | 0:5a29fd060ac8 | 66 | |
ashleymills | 0:5a29fd060ac8 | 67 | #endif |
ashleymills | 0:5a29fd060ac8 | 68 | |
ashleymills | 0:5a29fd060ac8 | 69 | /** |
ashleymills | 0:5a29fd060ac8 | 70 | * Construct a new x509 object. |
ashleymills | 0:5a29fd060ac8 | 71 | * @return 0 if ok. < 0 if there was a problem. |
ashleymills | 0:5a29fd060ac8 | 72 | */ |
ashleymills | 0:5a29fd060ac8 | 73 | int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx) |
ashleymills | 0:5a29fd060ac8 | 74 | { |
ashleymills | 0:5a29fd060ac8 | 75 | int begin_tbs, end_tbs; |
ashleymills | 0:5a29fd060ac8 | 76 | int ret = X509_NOT_OK, offset = 0, cert_size = 0; |
ashleymills | 0:5a29fd060ac8 | 77 | X509_CTX *x509_ctx; |
ashleymills | 0:5a29fd060ac8 | 78 | BI_CTX *bi_ctx; |
ashleymills | 0:5a29fd060ac8 | 79 | |
ashleymills | 0:5a29fd060ac8 | 80 | *ctx = (X509_CTX *)calloc(1, sizeof(X509_CTX)); |
ashleymills | 0:5a29fd060ac8 | 81 | x509_ctx = *ctx; |
ashleymills | 0:5a29fd060ac8 | 82 | |
ashleymills | 0:5a29fd060ac8 | 83 | /* get the certificate size */ |
ashleymills | 0:5a29fd060ac8 | 84 | asn1_skip_obj(cert, &cert_size, ASN1_SEQUENCE); |
ashleymills | 0:5a29fd060ac8 | 85 | |
ashleymills | 0:5a29fd060ac8 | 86 | if (asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0) |
ashleymills | 0:5a29fd060ac8 | 87 | goto end_cert; |
ashleymills | 0:5a29fd060ac8 | 88 | |
ashleymills | 0:5a29fd060ac8 | 89 | begin_tbs = offset; /* start of the tbs */ |
ashleymills | 0:5a29fd060ac8 | 90 | end_tbs = begin_tbs; /* work out the end of the tbs */ |
ashleymills | 0:5a29fd060ac8 | 91 | asn1_skip_obj(cert, &end_tbs, ASN1_SEQUENCE); |
ashleymills | 0:5a29fd060ac8 | 92 | |
ashleymills | 0:5a29fd060ac8 | 93 | if (asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0) |
ashleymills | 0:5a29fd060ac8 | 94 | goto end_cert; |
ashleymills | 0:5a29fd060ac8 | 95 | |
ashleymills | 0:5a29fd060ac8 | 96 | if (cert[offset] == ASN1_EXPLICIT_TAG) /* optional version */ |
ashleymills | 0:5a29fd060ac8 | 97 | { |
ashleymills | 0:5a29fd060ac8 | 98 | if (asn1_version(cert, &offset, x509_ctx)) |
ashleymills | 0:5a29fd060ac8 | 99 | goto end_cert; |
ashleymills | 0:5a29fd060ac8 | 100 | } |
ashleymills | 0:5a29fd060ac8 | 101 | |
ashleymills | 0:5a29fd060ac8 | 102 | if (asn1_skip_obj(cert, &offset, ASN1_INTEGER) || /* serial number */ |
ashleymills | 0:5a29fd060ac8 | 103 | asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0) |
ashleymills | 0:5a29fd060ac8 | 104 | goto end_cert; |
ashleymills | 0:5a29fd060ac8 | 105 | |
ashleymills | 0:5a29fd060ac8 | 106 | /* make sure the signature is ok */ |
ashleymills | 0:5a29fd060ac8 | 107 | if (asn1_signature_type(cert, &offset, x509_ctx)) |
ashleymills | 0:5a29fd060ac8 | 108 | { |
ashleymills | 0:5a29fd060ac8 | 109 | ret = X509_VFY_ERROR_UNSUPPORTED_DIGEST; |
ashleymills | 0:5a29fd060ac8 | 110 | goto end_cert; |
ashleymills | 0:5a29fd060ac8 | 111 | } |
ashleymills | 0:5a29fd060ac8 | 112 | |
ashleymills | 0:5a29fd060ac8 | 113 | if (asn1_name(cert, &offset, x509_ctx->ca_cert_dn) || |
ashleymills | 0:5a29fd060ac8 | 114 | asn1_validity(cert, &offset, x509_ctx) || |
ashleymills | 0:5a29fd060ac8 | 115 | asn1_name(cert, &offset, x509_ctx->cert_dn) || |
ashleymills | 0:5a29fd060ac8 | 116 | asn1_public_key(cert, &offset, x509_ctx)) |
ashleymills | 0:5a29fd060ac8 | 117 | { |
ashleymills | 0:5a29fd060ac8 | 118 | goto end_cert; |
ashleymills | 0:5a29fd060ac8 | 119 | } |
ashleymills | 0:5a29fd060ac8 | 120 | |
ashleymills | 0:5a29fd060ac8 | 121 | bi_ctx = x509_ctx->rsa_ctx->bi_ctx; |
ashleymills | 0:5a29fd060ac8 | 122 | |
ashleymills | 0:5a29fd060ac8 | 123 | #ifdef CONFIG_SSL_CERT_VERIFICATION /* only care if doing verification */ |
ashleymills | 0:5a29fd060ac8 | 124 | /* use the appropriate signature algorithm (SHA1/MD5/MD2) */ |
ashleymills | 0:5a29fd060ac8 | 125 | if (x509_ctx->sig_type == SIG_TYPE_MD5) |
ashleymills | 0:5a29fd060ac8 | 126 | { |
ashleymills | 0:5a29fd060ac8 | 127 | MD5_CTX md5_ctx; |
ashleymills | 0:5a29fd060ac8 | 128 | uint8_t md5_dgst[MD5_SIZE]; |
ashleymills | 0:5a29fd060ac8 | 129 | MD5_Init(&md5_ctx); |
ashleymills | 0:5a29fd060ac8 | 130 | MD5_Update(&md5_ctx, &cert[begin_tbs], end_tbs-begin_tbs); |
ashleymills | 0:5a29fd060ac8 | 131 | MD5_Final(md5_dgst, &md5_ctx); |
ashleymills | 0:5a29fd060ac8 | 132 | x509_ctx->digest = bi_import(bi_ctx, md5_dgst, MD5_SIZE); |
ashleymills | 0:5a29fd060ac8 | 133 | } |
ashleymills | 0:5a29fd060ac8 | 134 | else if (x509_ctx->sig_type == SIG_TYPE_SHA1) |
ashleymills | 0:5a29fd060ac8 | 135 | { |
ashleymills | 0:5a29fd060ac8 | 136 | SHA1_CTX sha_ctx; |
ashleymills | 0:5a29fd060ac8 | 137 | uint8_t sha_dgst[SHA1_SIZE]; |
ashleymills | 0:5a29fd060ac8 | 138 | SHA1_Init(&sha_ctx); |
ashleymills | 0:5a29fd060ac8 | 139 | SHA1_Update(&sha_ctx, &cert[begin_tbs], end_tbs-begin_tbs); |
ashleymills | 0:5a29fd060ac8 | 140 | SHA1_Final(sha_dgst, &sha_ctx); |
ashleymills | 0:5a29fd060ac8 | 141 | x509_ctx->digest = bi_import(bi_ctx, sha_dgst, SHA1_SIZE); |
ashleymills | 0:5a29fd060ac8 | 142 | } |
ashleymills | 0:5a29fd060ac8 | 143 | else if (x509_ctx->sig_type == SIG_TYPE_MD2) |
ashleymills | 0:5a29fd060ac8 | 144 | { |
ashleymills | 0:5a29fd060ac8 | 145 | MD2_CTX md2_ctx; |
ashleymills | 0:5a29fd060ac8 | 146 | uint8_t md2_dgst[MD2_SIZE]; |
ashleymills | 0:5a29fd060ac8 | 147 | MD2_Init(&md2_ctx); |
ashleymills | 0:5a29fd060ac8 | 148 | MD2_Update(&md2_ctx, &cert[begin_tbs], end_tbs-begin_tbs); |
ashleymills | 0:5a29fd060ac8 | 149 | MD2_Final(md2_dgst, &md2_ctx); |
ashleymills | 0:5a29fd060ac8 | 150 | x509_ctx->digest = bi_import(bi_ctx, md2_dgst, MD2_SIZE); |
ashleymills | 0:5a29fd060ac8 | 151 | } |
ashleymills | 0:5a29fd060ac8 | 152 | |
ashleymills | 0:5a29fd060ac8 | 153 | if (cert[offset] == ASN1_V3_DATA) |
ashleymills | 0:5a29fd060ac8 | 154 | { |
ashleymills | 0:5a29fd060ac8 | 155 | int suboffset; |
ashleymills | 0:5a29fd060ac8 | 156 | |
ashleymills | 0:5a29fd060ac8 | 157 | ++offset; |
ashleymills | 0:5a29fd060ac8 | 158 | get_asn1_length(cert, &offset); |
ashleymills | 0:5a29fd060ac8 | 159 | |
ashleymills | 0:5a29fd060ac8 | 160 | if ((suboffset = asn1_find_subjectaltname(cert, offset)) > 0) |
ashleymills | 0:5a29fd060ac8 | 161 | { |
ashleymills | 0:5a29fd060ac8 | 162 | if (asn1_next_obj(cert, &suboffset, ASN1_OCTET_STRING) > 0) |
ashleymills | 0:5a29fd060ac8 | 163 | { |
ashleymills | 0:5a29fd060ac8 | 164 | int altlen; |
ashleymills | 0:5a29fd060ac8 | 165 | |
ashleymills | 0:5a29fd060ac8 | 166 | if ((altlen = asn1_next_obj(cert, |
ashleymills | 0:5a29fd060ac8 | 167 | &suboffset, ASN1_SEQUENCE)) > 0) |
ashleymills | 0:5a29fd060ac8 | 168 | { |
ashleymills | 0:5a29fd060ac8 | 169 | int endalt = suboffset + altlen; |
ashleymills | 0:5a29fd060ac8 | 170 | int totalnames = 0; |
ashleymills | 0:5a29fd060ac8 | 171 | |
ashleymills | 0:5a29fd060ac8 | 172 | while (suboffset < endalt) |
ashleymills | 0:5a29fd060ac8 | 173 | { |
ashleymills | 0:5a29fd060ac8 | 174 | int type = cert[suboffset++]; |
ashleymills | 0:5a29fd060ac8 | 175 | int dnslen = get_asn1_length(cert, &suboffset); |
ashleymills | 0:5a29fd060ac8 | 176 | |
ashleymills | 0:5a29fd060ac8 | 177 | if (type == ASN1_CONTEXT_DNSNAME) |
ashleymills | 0:5a29fd060ac8 | 178 | { |
ashleymills | 0:5a29fd060ac8 | 179 | x509_ctx->subject_alt_dnsnames = (char**) |
ashleymills | 0:5a29fd060ac8 | 180 | realloc(x509_ctx->subject_alt_dnsnames, |
ashleymills | 0:5a29fd060ac8 | 181 | (totalnames + 2) * sizeof(char*)); |
ashleymills | 0:5a29fd060ac8 | 182 | x509_ctx->subject_alt_dnsnames[totalnames] = |
ashleymills | 0:5a29fd060ac8 | 183 | (char*)malloc(dnslen + 1); |
ashleymills | 0:5a29fd060ac8 | 184 | x509_ctx->subject_alt_dnsnames[totalnames+1] = NULL; |
ashleymills | 0:5a29fd060ac8 | 185 | memcpy(x509_ctx->subject_alt_dnsnames[totalnames], |
ashleymills | 0:5a29fd060ac8 | 186 | cert + suboffset, dnslen); |
ashleymills | 0:5a29fd060ac8 | 187 | x509_ctx->subject_alt_dnsnames[ |
ashleymills | 0:5a29fd060ac8 | 188 | totalnames][dnslen] = 0; |
ashleymills | 0:5a29fd060ac8 | 189 | ++totalnames; |
ashleymills | 0:5a29fd060ac8 | 190 | } |
ashleymills | 0:5a29fd060ac8 | 191 | |
ashleymills | 0:5a29fd060ac8 | 192 | suboffset += dnslen; |
ashleymills | 0:5a29fd060ac8 | 193 | } |
ashleymills | 0:5a29fd060ac8 | 194 | } |
ashleymills | 0:5a29fd060ac8 | 195 | } |
ashleymills | 0:5a29fd060ac8 | 196 | } |
ashleymills | 0:5a29fd060ac8 | 197 | } |
ashleymills | 0:5a29fd060ac8 | 198 | |
ashleymills | 0:5a29fd060ac8 | 199 | offset = end_tbs; /* skip the rest of v3 data */ |
ashleymills | 0:5a29fd060ac8 | 200 | if (asn1_skip_obj(cert, &offset, ASN1_SEQUENCE) || |
ashleymills | 0:5a29fd060ac8 | 201 | asn1_signature(cert, &offset, x509_ctx)) |
ashleymills | 0:5a29fd060ac8 | 202 | goto end_cert; |
ashleymills | 0:5a29fd060ac8 | 203 | #endif |
ashleymills | 0:5a29fd060ac8 | 204 | ret = X509_OK; |
ashleymills | 0:5a29fd060ac8 | 205 | end_cert: |
ashleymills | 0:5a29fd060ac8 | 206 | if (len) |
ashleymills | 0:5a29fd060ac8 | 207 | { |
ashleymills | 0:5a29fd060ac8 | 208 | *len = cert_size; |
ashleymills | 0:5a29fd060ac8 | 209 | } |
ashleymills | 0:5a29fd060ac8 | 210 | |
ashleymills | 0:5a29fd060ac8 | 211 | if (ret) |
ashleymills | 0:5a29fd060ac8 | 212 | { |
ashleymills | 0:5a29fd060ac8 | 213 | #ifdef CONFIG_SSL_FULL_MODE |
ashleymills | 0:5a29fd060ac8 | 214 | printf("Error: Invalid X509 ASN.1 file (%s)\n", |
ashleymills | 0:5a29fd060ac8 | 215 | x509_display_error(ret)); |
ashleymills | 0:5a29fd060ac8 | 216 | #endif |
ashleymills | 0:5a29fd060ac8 | 217 | x509_free(x509_ctx); |
ashleymills | 0:5a29fd060ac8 | 218 | *ctx = NULL; |
ashleymills | 0:5a29fd060ac8 | 219 | } |
ashleymills | 0:5a29fd060ac8 | 220 | |
ashleymills | 0:5a29fd060ac8 | 221 | return ret; |
ashleymills | 0:5a29fd060ac8 | 222 | } |
ashleymills | 0:5a29fd060ac8 | 223 | |
ashleymills | 0:5a29fd060ac8 | 224 | /** |
ashleymills | 0:5a29fd060ac8 | 225 | * Free an X.509 object's resources. |
ashleymills | 0:5a29fd060ac8 | 226 | */ |
ashleymills | 0:5a29fd060ac8 | 227 | void x509_free(X509_CTX *x509_ctx) |
ashleymills | 0:5a29fd060ac8 | 228 | { |
ashleymills | 0:5a29fd060ac8 | 229 | X509_CTX *next; |
ashleymills | 0:5a29fd060ac8 | 230 | int i; |
ashleymills | 0:5a29fd060ac8 | 231 | |
ashleymills | 0:5a29fd060ac8 | 232 | if (x509_ctx == NULL) /* if already null, then don't bother */ |
ashleymills | 0:5a29fd060ac8 | 233 | return; |
ashleymills | 0:5a29fd060ac8 | 234 | |
ashleymills | 0:5a29fd060ac8 | 235 | for (i = 0; i < X509_NUM_DN_TYPES; i++) |
ashleymills | 0:5a29fd060ac8 | 236 | { |
ashleymills | 0:5a29fd060ac8 | 237 | free(x509_ctx->ca_cert_dn[i]); |
ashleymills | 0:5a29fd060ac8 | 238 | free(x509_ctx->cert_dn[i]); |
ashleymills | 0:5a29fd060ac8 | 239 | } |
ashleymills | 0:5a29fd060ac8 | 240 | |
ashleymills | 0:5a29fd060ac8 | 241 | free(x509_ctx->signature); |
ashleymills | 0:5a29fd060ac8 | 242 | |
ashleymills | 0:5a29fd060ac8 | 243 | #ifdef CONFIG_SSL_CERT_VERIFICATION |
ashleymills | 0:5a29fd060ac8 | 244 | if (x509_ctx->digest) |
ashleymills | 0:5a29fd060ac8 | 245 | { |
ashleymills | 0:5a29fd060ac8 | 246 | bi_free(x509_ctx->rsa_ctx->bi_ctx, x509_ctx->digest); |
ashleymills | 0:5a29fd060ac8 | 247 | } |
ashleymills | 0:5a29fd060ac8 | 248 | |
ashleymills | 0:5a29fd060ac8 | 249 | if (x509_ctx->subject_alt_dnsnames) |
ashleymills | 0:5a29fd060ac8 | 250 | { |
ashleymills | 0:5a29fd060ac8 | 251 | for (i = 0; x509_ctx->subject_alt_dnsnames[i]; ++i) |
ashleymills | 0:5a29fd060ac8 | 252 | free(x509_ctx->subject_alt_dnsnames[i]); |
ashleymills | 0:5a29fd060ac8 | 253 | |
ashleymills | 0:5a29fd060ac8 | 254 | free(x509_ctx->subject_alt_dnsnames); |
ashleymills | 0:5a29fd060ac8 | 255 | } |
ashleymills | 0:5a29fd060ac8 | 256 | #endif |
ashleymills | 0:5a29fd060ac8 | 257 | |
ashleymills | 0:5a29fd060ac8 | 258 | RSA_free(x509_ctx->rsa_ctx); |
ashleymills | 0:5a29fd060ac8 | 259 | next = x509_ctx->next; |
ashleymills | 0:5a29fd060ac8 | 260 | free(x509_ctx); |
ashleymills | 0:5a29fd060ac8 | 261 | x509_free(next); /* clear the chain */ |
ashleymills | 0:5a29fd060ac8 | 262 | } |
ashleymills | 0:5a29fd060ac8 | 263 | |
ashleymills | 0:5a29fd060ac8 | 264 | #ifdef CONFIG_SSL_CERT_VERIFICATION |
ashleymills | 0:5a29fd060ac8 | 265 | /** |
ashleymills | 0:5a29fd060ac8 | 266 | * Take a signature and decrypt it. |
ashleymills | 0:5a29fd060ac8 | 267 | */ |
ashleymills | 0:5a29fd060ac8 | 268 | static bigint *sig_verify(BI_CTX *ctx, const uint8_t *sig, int sig_len, |
ashleymills | 0:5a29fd060ac8 | 269 | bigint *modulus, bigint *pub_exp) |
ashleymills | 0:5a29fd060ac8 | 270 | { |
ashleymills | 0:5a29fd060ac8 | 271 | int i, size; |
ashleymills | 0:5a29fd060ac8 | 272 | bigint *decrypted_bi, *dat_bi; |
ashleymills | 0:5a29fd060ac8 | 273 | bigint *bir = NULL; |
ashleymills | 0:5a29fd060ac8 | 274 | uint8_t *block = (uint8_t *)alloca(sig_len); |
ashleymills | 0:5a29fd060ac8 | 275 | |
ashleymills | 0:5a29fd060ac8 | 276 | /* decrypt */ |
ashleymills | 0:5a29fd060ac8 | 277 | dat_bi = bi_import(ctx, sig, sig_len); |
ashleymills | 0:5a29fd060ac8 | 278 | ctx->mod_offset = BIGINT_M_OFFSET; |
ashleymills | 0:5a29fd060ac8 | 279 | |
ashleymills | 0:5a29fd060ac8 | 280 | /* convert to a normal block */ |
ashleymills | 0:5a29fd060ac8 | 281 | decrypted_bi = bi_mod_power2(ctx, dat_bi, modulus, pub_exp); |
ashleymills | 0:5a29fd060ac8 | 282 | |
ashleymills | 0:5a29fd060ac8 | 283 | bi_export(ctx, decrypted_bi, block, sig_len); |
ashleymills | 0:5a29fd060ac8 | 284 | ctx->mod_offset = BIGINT_M_OFFSET; |
ashleymills | 0:5a29fd060ac8 | 285 | |
ashleymills | 0:5a29fd060ac8 | 286 | i = 10; /* start at the first possible non-padded byte */ |
ashleymills | 0:5a29fd060ac8 | 287 | while (block[i++] && i < sig_len); |
ashleymills | 0:5a29fd060ac8 | 288 | size = sig_len - i; |
ashleymills | 0:5a29fd060ac8 | 289 | |
ashleymills | 0:5a29fd060ac8 | 290 | /* get only the bit we want */ |
ashleymills | 0:5a29fd060ac8 | 291 | if (size > 0) |
ashleymills | 0:5a29fd060ac8 | 292 | { |
ashleymills | 0:5a29fd060ac8 | 293 | int len; |
ashleymills | 0:5a29fd060ac8 | 294 | const uint8_t *sig_ptr = get_signature(&block[i], &len); |
ashleymills | 0:5a29fd060ac8 | 295 | |
ashleymills | 0:5a29fd060ac8 | 296 | if (sig_ptr) |
ashleymills | 0:5a29fd060ac8 | 297 | { |
ashleymills | 0:5a29fd060ac8 | 298 | bir = bi_import(ctx, sig_ptr, len); |
ashleymills | 0:5a29fd060ac8 | 299 | } |
ashleymills | 0:5a29fd060ac8 | 300 | } |
ashleymills | 0:5a29fd060ac8 | 301 | |
ashleymills | 0:5a29fd060ac8 | 302 | /* save a few bytes of memory */ |
ashleymills | 0:5a29fd060ac8 | 303 | bi_clear_cache(ctx); |
ashleymills | 0:5a29fd060ac8 | 304 | return bir; |
ashleymills | 0:5a29fd060ac8 | 305 | } |
ashleymills | 0:5a29fd060ac8 | 306 | |
ashleymills | 0:5a29fd060ac8 | 307 | /** |
ashleymills | 0:5a29fd060ac8 | 308 | * Do some basic checks on the certificate chain. |
ashleymills | 0:5a29fd060ac8 | 309 | * |
ashleymills | 0:5a29fd060ac8 | 310 | * Certificate verification consists of a number of checks: |
ashleymills | 0:5a29fd060ac8 | 311 | * - The date of the certificate is after the start date. |
ashleymills | 0:5a29fd060ac8 | 312 | * - The date of the certificate is before the finish date. |
ashleymills | 0:5a29fd060ac8 | 313 | * - A root certificate exists in the certificate store. |
ashleymills | 0:5a29fd060ac8 | 314 | * - That the certificate(s) are not self-signed. |
ashleymills | 0:5a29fd060ac8 | 315 | * - The certificate chain is valid. |
ashleymills | 0:5a29fd060ac8 | 316 | * - The signature of the certificate is valid. |
ashleymills | 0:5a29fd060ac8 | 317 | */ |
ashleymills | 0:5a29fd060ac8 | 318 | int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert) |
ashleymills | 0:5a29fd060ac8 | 319 | { |
ashleymills | 0:5a29fd060ac8 | 320 | int ret = X509_OK, i = 0; |
ashleymills | 0:5a29fd060ac8 | 321 | bigint *cert_sig; |
ashleymills | 0:5a29fd060ac8 | 322 | X509_CTX *next_cert = NULL; |
ashleymills | 0:5a29fd060ac8 | 323 | BI_CTX *ctx = NULL; |
ashleymills | 0:5a29fd060ac8 | 324 | bigint *mod = NULL, *expn = NULL; |
ashleymills | 0:5a29fd060ac8 | 325 | int match_ca_cert = 0; |
ashleymills | 0:5a29fd060ac8 | 326 | struct timeval tv; |
ashleymills | 0:5a29fd060ac8 | 327 | uint8_t is_self_signed = 0; |
ashleymills | 0:5a29fd060ac8 | 328 | |
ashleymills | 0:5a29fd060ac8 | 329 | if (cert == NULL) |
ashleymills | 0:5a29fd060ac8 | 330 | { |
ashleymills | 0:5a29fd060ac8 | 331 | ret = X509_VFY_ERROR_NO_TRUSTED_CERT; |
ashleymills | 0:5a29fd060ac8 | 332 | goto end_verify; |
ashleymills | 0:5a29fd060ac8 | 333 | } |
ashleymills | 0:5a29fd060ac8 | 334 | |
ashleymills | 0:5a29fd060ac8 | 335 | /* a self-signed certificate that is not in the CA store - use this |
ashleymills | 0:5a29fd060ac8 | 336 | to check the signature */ |
ashleymills | 0:5a29fd060ac8 | 337 | if (asn1_compare_dn(cert->ca_cert_dn, cert->cert_dn) == 0) |
ashleymills | 0:5a29fd060ac8 | 338 | { |
ashleymills | 0:5a29fd060ac8 | 339 | printf("self signed cert\r\n"); |
ashleymills | 0:5a29fd060ac8 | 340 | is_self_signed = 1; |
ashleymills | 0:5a29fd060ac8 | 341 | ctx = cert->rsa_ctx->bi_ctx; |
ashleymills | 0:5a29fd060ac8 | 342 | mod = cert->rsa_ctx->m; |
ashleymills | 0:5a29fd060ac8 | 343 | expn = cert->rsa_ctx->e; |
ashleymills | 0:5a29fd060ac8 | 344 | } |
ashleymills | 0:5a29fd060ac8 | 345 | |
ashleymills | 0:5a29fd060ac8 | 346 | gettimeofday(&tv, NULL); |
ashleymills | 0:5a29fd060ac8 | 347 | |
ashleymills | 0:5a29fd060ac8 | 348 | /* check the not before date */ |
ashleymills | 0:5a29fd060ac8 | 349 | if (tv.tv_sec < cert->not_before) |
ashleymills | 0:5a29fd060ac8 | 350 | { |
ashleymills | 0:5a29fd060ac8 | 351 | ret = X509_VFY_ERROR_NOT_YET_VALID; |
ashleymills | 0:5a29fd060ac8 | 352 | goto end_verify; |
ashleymills | 0:5a29fd060ac8 | 353 | } |
ashleymills | 0:5a29fd060ac8 | 354 | |
ashleymills | 0:5a29fd060ac8 | 355 | /* check the not after date */ |
ashleymills | 0:5a29fd060ac8 | 356 | if (tv.tv_sec > cert->not_after) |
ashleymills | 0:5a29fd060ac8 | 357 | { |
ashleymills | 0:5a29fd060ac8 | 358 | ret = X509_VFY_ERROR_EXPIRED; |
ashleymills | 0:5a29fd060ac8 | 359 | goto end_verify; |
ashleymills | 0:5a29fd060ac8 | 360 | } |
ashleymills | 0:5a29fd060ac8 | 361 | |
ashleymills | 0:5a29fd060ac8 | 362 | next_cert = cert->next; |
ashleymills | 0:5a29fd060ac8 | 363 | |
ashleymills | 0:5a29fd060ac8 | 364 | /* last cert in the chain - look for a trusted cert */ |
ashleymills | 0:5a29fd060ac8 | 365 | if (next_cert == NULL) |
ashleymills | 0:5a29fd060ac8 | 366 | { |
ashleymills | 0:5a29fd060ac8 | 367 | if (ca_cert_ctx != NULL) |
ashleymills | 0:5a29fd060ac8 | 368 | { |
ashleymills | 0:5a29fd060ac8 | 369 | /* go thu the CA store */ |
ashleymills | 0:5a29fd060ac8 | 370 | while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i]) |
ashleymills | 0:5a29fd060ac8 | 371 | { |
ashleymills | 0:5a29fd060ac8 | 372 | if (asn1_compare_dn(cert->ca_cert_dn, |
ashleymills | 0:5a29fd060ac8 | 373 | ca_cert_ctx->cert[i]->cert_dn) == 0) |
ashleymills | 0:5a29fd060ac8 | 374 | { |
ashleymills | 0:5a29fd060ac8 | 375 | /* use this CA certificate for signature verification */ |
ashleymills | 0:5a29fd060ac8 | 376 | match_ca_cert = 1; |
ashleymills | 0:5a29fd060ac8 | 377 | ctx = ca_cert_ctx->cert[i]->rsa_ctx->bi_ctx; |
ashleymills | 0:5a29fd060ac8 | 378 | mod = ca_cert_ctx->cert[i]->rsa_ctx->m; |
ashleymills | 0:5a29fd060ac8 | 379 | expn = ca_cert_ctx->cert[i]->rsa_ctx->e; |
ashleymills | 0:5a29fd060ac8 | 380 | break; |
ashleymills | 0:5a29fd060ac8 | 381 | } |
ashleymills | 0:5a29fd060ac8 | 382 | |
ashleymills | 0:5a29fd060ac8 | 383 | i++; |
ashleymills | 0:5a29fd060ac8 | 384 | } |
ashleymills | 0:5a29fd060ac8 | 385 | } |
ashleymills | 0:5a29fd060ac8 | 386 | |
ashleymills | 0:5a29fd060ac8 | 387 | /* couldn't find a trusted cert (& let self-signed errors |
ashleymills | 0:5a29fd060ac8 | 388 | be returned) */ |
ashleymills | 0:5a29fd060ac8 | 389 | if (!match_ca_cert && !is_self_signed) |
ashleymills | 0:5a29fd060ac8 | 390 | { |
ashleymills | 0:5a29fd060ac8 | 391 | ret = X509_VFY_ERROR_NO_TRUSTED_CERT; |
ashleymills | 0:5a29fd060ac8 | 392 | goto end_verify; |
ashleymills | 0:5a29fd060ac8 | 393 | } |
ashleymills | 0:5a29fd060ac8 | 394 | } |
ashleymills | 0:5a29fd060ac8 | 395 | else if (asn1_compare_dn(cert->ca_cert_dn, next_cert->cert_dn) != 0) |
ashleymills | 0:5a29fd060ac8 | 396 | { |
ashleymills | 0:5a29fd060ac8 | 397 | /* check the chain */ |
ashleymills | 0:5a29fd060ac8 | 398 | ret = X509_VFY_ERROR_INVALID_CHAIN; |
ashleymills | 0:5a29fd060ac8 | 399 | goto end_verify; |
ashleymills | 0:5a29fd060ac8 | 400 | } |
ashleymills | 0:5a29fd060ac8 | 401 | else /* use the next certificate in the chain for signature verify */ |
ashleymills | 0:5a29fd060ac8 | 402 | { |
ashleymills | 0:5a29fd060ac8 | 403 | ctx = next_cert->rsa_ctx->bi_ctx; |
ashleymills | 0:5a29fd060ac8 | 404 | mod = next_cert->rsa_ctx->m; |
ashleymills | 0:5a29fd060ac8 | 405 | expn = next_cert->rsa_ctx->e; |
ashleymills | 0:5a29fd060ac8 | 406 | } |
ashleymills | 0:5a29fd060ac8 | 407 | |
ashleymills | 0:5a29fd060ac8 | 408 | /* cert is self signed */ |
ashleymills | 0:5a29fd060ac8 | 409 | if (!match_ca_cert && is_self_signed) |
ashleymills | 0:5a29fd060ac8 | 410 | { |
ashleymills | 0:5a29fd060ac8 | 411 | ret = X509_VFY_ERROR_SELF_SIGNED; |
ashleymills | 0:5a29fd060ac8 | 412 | goto end_verify; |
ashleymills | 0:5a29fd060ac8 | 413 | } |
ashleymills | 0:5a29fd060ac8 | 414 | |
ashleymills | 0:5a29fd060ac8 | 415 | /* check the signature */ |
ashleymills | 0:5a29fd060ac8 | 416 | cert_sig = sig_verify(ctx, cert->signature, cert->sig_len, |
ashleymills | 0:5a29fd060ac8 | 417 | bi_clone(ctx, mod), bi_clone(ctx, expn)); |
ashleymills | 0:5a29fd060ac8 | 418 | |
ashleymills | 0:5a29fd060ac8 | 419 | if (cert_sig && cert->digest) |
ashleymills | 0:5a29fd060ac8 | 420 | { |
ashleymills | 0:5a29fd060ac8 | 421 | if (bi_compare(cert_sig, cert->digest) != 0) |
ashleymills | 0:5a29fd060ac8 | 422 | ret = X509_VFY_ERROR_BAD_SIGNATURE; |
ashleymills | 0:5a29fd060ac8 | 423 | |
ashleymills | 0:5a29fd060ac8 | 424 | |
ashleymills | 0:5a29fd060ac8 | 425 | bi_free(ctx, cert_sig); |
ashleymills | 0:5a29fd060ac8 | 426 | } |
ashleymills | 0:5a29fd060ac8 | 427 | else |
ashleymills | 0:5a29fd060ac8 | 428 | { |
ashleymills | 0:5a29fd060ac8 | 429 | ret = X509_VFY_ERROR_BAD_SIGNATURE; |
ashleymills | 0:5a29fd060ac8 | 430 | } |
ashleymills | 0:5a29fd060ac8 | 431 | |
ashleymills | 0:5a29fd060ac8 | 432 | if (ret) |
ashleymills | 0:5a29fd060ac8 | 433 | goto end_verify; |
ashleymills | 0:5a29fd060ac8 | 434 | |
ashleymills | 0:5a29fd060ac8 | 435 | /* go down the certificate chain using recursion. */ |
ashleymills | 0:5a29fd060ac8 | 436 | if (next_cert != NULL) |
ashleymills | 0:5a29fd060ac8 | 437 | { |
ashleymills | 0:5a29fd060ac8 | 438 | ret = x509_verify(ca_cert_ctx, next_cert); |
ashleymills | 0:5a29fd060ac8 | 439 | } |
ashleymills | 0:5a29fd060ac8 | 440 | |
ashleymills | 0:5a29fd060ac8 | 441 | end_verify: |
ashleymills | 0:5a29fd060ac8 | 442 | return ret; |
ashleymills | 0:5a29fd060ac8 | 443 | } |
ashleymills | 0:5a29fd060ac8 | 444 | #endif |
ashleymills | 0:5a29fd060ac8 | 445 | |
ashleymills | 0:5a29fd060ac8 | 446 | #if defined (CONFIG_SSL_FULL_MODE) |
ashleymills | 0:5a29fd060ac8 | 447 | /** |
ashleymills | 0:5a29fd060ac8 | 448 | * Used for diagnostics. |
ashleymills | 0:5a29fd060ac8 | 449 | */ |
ashleymills | 0:5a29fd060ac8 | 450 | static const char *not_part_of_cert = "<Not Part Of Certificate>"; |
ashleymills | 0:5a29fd060ac8 | 451 | void x509_print(const X509_CTX *cert, CA_CERT_CTX *ca_cert_ctx) |
ashleymills | 0:5a29fd060ac8 | 452 | { |
ashleymills | 0:5a29fd060ac8 | 453 | if (cert == NULL) |
ashleymills | 0:5a29fd060ac8 | 454 | return; |
ashleymills | 0:5a29fd060ac8 | 455 | |
ashleymills | 0:5a29fd060ac8 | 456 | printf("=== CERTIFICATE ISSUED TO ===\n"); |
ashleymills | 0:5a29fd060ac8 | 457 | printf("Common Name (CN):\t\t"); |
ashleymills | 0:5a29fd060ac8 | 458 | printf("%s\r\n", cert->cert_dn[X509_COMMON_NAME] ? |
ashleymills | 0:5a29fd060ac8 | 459 | cert->cert_dn[X509_COMMON_NAME] : not_part_of_cert); |
ashleymills | 0:5a29fd060ac8 | 460 | |
ashleymills | 0:5a29fd060ac8 | 461 | printf("Organization (O):\t\t"); |
ashleymills | 0:5a29fd060ac8 | 462 | printf("%s\r\n", cert->cert_dn[X509_ORGANIZATION] ? |
ashleymills | 0:5a29fd060ac8 | 463 | cert->cert_dn[X509_ORGANIZATION] : not_part_of_cert); |
ashleymills | 0:5a29fd060ac8 | 464 | |
ashleymills | 0:5a29fd060ac8 | 465 | printf("Organizational Unit (OU):\t"); |
ashleymills | 0:5a29fd060ac8 | 466 | printf("%s\r\n", cert->cert_dn[X509_ORGANIZATIONAL_UNIT] ? |
ashleymills | 0:5a29fd060ac8 | 467 | cert->cert_dn[X509_ORGANIZATIONAL_UNIT] : not_part_of_cert); |
ashleymills | 0:5a29fd060ac8 | 468 | |
ashleymills | 0:5a29fd060ac8 | 469 | printf("=== CERTIFICATE ISSUED BY ===\r\n"); |
ashleymills | 0:5a29fd060ac8 | 470 | printf("Common Name (CN):\t\t"); |
ashleymills | 0:5a29fd060ac8 | 471 | printf("%s\r\n", cert->ca_cert_dn[X509_COMMON_NAME] ? |
ashleymills | 0:5a29fd060ac8 | 472 | cert->ca_cert_dn[X509_COMMON_NAME] : not_part_of_cert); |
ashleymills | 0:5a29fd060ac8 | 473 | |
ashleymills | 0:5a29fd060ac8 | 474 | printf("Organization (O):\t\t"); |
ashleymills | 0:5a29fd060ac8 | 475 | printf("%s\r\n", cert->ca_cert_dn[X509_ORGANIZATION] ? |
ashleymills | 0:5a29fd060ac8 | 476 | cert->ca_cert_dn[X509_ORGANIZATION] : not_part_of_cert); |
ashleymills | 0:5a29fd060ac8 | 477 | |
ashleymills | 0:5a29fd060ac8 | 478 | printf("Organizational Unit (OU):\t"); |
ashleymills | 0:5a29fd060ac8 | 479 | printf("%s\r\n", cert->ca_cert_dn[X509_ORGANIZATIONAL_UNIT] ? |
ashleymills | 0:5a29fd060ac8 | 480 | cert->ca_cert_dn[X509_ORGANIZATIONAL_UNIT] : not_part_of_cert); |
ashleymills | 0:5a29fd060ac8 | 481 | |
ashleymills | 0:5a29fd060ac8 | 482 | printf("Not Before:\t\t\t%s\r\n", ctime(&cert->not_before)); |
ashleymills | 0:5a29fd060ac8 | 483 | printf("Not After:\t\t\t%s\r\n", ctime(&cert->not_after)); |
ashleymills | 0:5a29fd060ac8 | 484 | printf("RSA bitsize:\t\t\t%d\r\n", cert->rsa_ctx->num_octets*8); |
ashleymills | 0:5a29fd060ac8 | 485 | printf("Sig Type:\t\t\t"); |
ashleymills | 0:5a29fd060ac8 | 486 | switch (cert->sig_type) |
ashleymills | 0:5a29fd060ac8 | 487 | { |
ashleymills | 0:5a29fd060ac8 | 488 | case SIG_TYPE_MD5: |
ashleymills | 0:5a29fd060ac8 | 489 | printf("MD5\r\n"); |
ashleymills | 0:5a29fd060ac8 | 490 | break; |
ashleymills | 0:5a29fd060ac8 | 491 | case SIG_TYPE_SHA1: |
ashleymills | 0:5a29fd060ac8 | 492 | printf("SHA1\r\n"); |
ashleymills | 0:5a29fd060ac8 | 493 | break; |
ashleymills | 0:5a29fd060ac8 | 494 | case SIG_TYPE_MD2: |
ashleymills | 0:5a29fd060ac8 | 495 | printf("MD2\r\n"); |
ashleymills | 0:5a29fd060ac8 | 496 | break; |
ashleymills | 0:5a29fd060ac8 | 497 | default: |
ashleymills | 0:5a29fd060ac8 | 498 | printf("Unrecognized: %d\r\n", cert->sig_type); |
ashleymills | 0:5a29fd060ac8 | 499 | break; |
ashleymills | 0:5a29fd060ac8 | 500 | } |
ashleymills | 0:5a29fd060ac8 | 501 | |
ashleymills | 0:5a29fd060ac8 | 502 | if (ca_cert_ctx) |
ashleymills | 0:5a29fd060ac8 | 503 | { |
ashleymills | 0:5a29fd060ac8 | 504 | printf("Verify:\t\t\t\t%s\r\n", |
ashleymills | 0:5a29fd060ac8 | 505 | x509_display_error(x509_verify(ca_cert_ctx, cert))); |
ashleymills | 0:5a29fd060ac8 | 506 | } |
ashleymills | 0:5a29fd060ac8 | 507 | |
ashleymills | 0:5a29fd060ac8 | 508 | #if 0 |
ashleymills | 0:5a29fd060ac8 | 509 | print_blob("Signature", cert->signature, cert->sig_len); |
ashleymills | 0:5a29fd060ac8 | 510 | bi_print("Modulus", cert->rsa_ctx->m); |
ashleymills | 0:5a29fd060ac8 | 511 | bi_print("Pub Exp", cert->rsa_ctx->e); |
ashleymills | 0:5a29fd060ac8 | 512 | #endif |
ashleymills | 0:5a29fd060ac8 | 513 | |
ashleymills | 0:5a29fd060ac8 | 514 | if (ca_cert_ctx) |
ashleymills | 0:5a29fd060ac8 | 515 | { |
ashleymills | 0:5a29fd060ac8 | 516 | x509_print(cert->next, ca_cert_ctx); |
ashleymills | 0:5a29fd060ac8 | 517 | } |
ashleymills | 0:5a29fd060ac8 | 518 | |
ashleymills | 0:5a29fd060ac8 | 519 | TTY_FLUSH(); |
ashleymills | 0:5a29fd060ac8 | 520 | } |
ashleymills | 0:5a29fd060ac8 | 521 | |
ashleymills | 0:5a29fd060ac8 | 522 | const char * x509_display_error(int error) |
ashleymills | 0:5a29fd060ac8 | 523 | { |
ashleymills | 0:5a29fd060ac8 | 524 | switch (error) |
ashleymills | 0:5a29fd060ac8 | 525 | { |
ashleymills | 0:5a29fd060ac8 | 526 | case X509_OK: |
ashleymills | 0:5a29fd060ac8 | 527 | return "Certificate verify successful"; |
ashleymills | 0:5a29fd060ac8 | 528 | |
ashleymills | 0:5a29fd060ac8 | 529 | case X509_NOT_OK: |
ashleymills | 0:5a29fd060ac8 | 530 | return "X509 not ok"; |
ashleymills | 0:5a29fd060ac8 | 531 | |
ashleymills | 0:5a29fd060ac8 | 532 | case X509_VFY_ERROR_NO_TRUSTED_CERT: |
ashleymills | 0:5a29fd060ac8 | 533 | return "No trusted cert is available"; |
ashleymills | 0:5a29fd060ac8 | 534 | |
ashleymills | 0:5a29fd060ac8 | 535 | case X509_VFY_ERROR_BAD_SIGNATURE: |
ashleymills | 0:5a29fd060ac8 | 536 | return "Bad signature"; |
ashleymills | 0:5a29fd060ac8 | 537 | |
ashleymills | 0:5a29fd060ac8 | 538 | case X509_VFY_ERROR_NOT_YET_VALID: |
ashleymills | 0:5a29fd060ac8 | 539 | return "Cert is not yet valid"; |
ashleymills | 0:5a29fd060ac8 | 540 | |
ashleymills | 0:5a29fd060ac8 | 541 | case X509_VFY_ERROR_EXPIRED: |
ashleymills | 0:5a29fd060ac8 | 542 | return "Cert has expired"; |
ashleymills | 0:5a29fd060ac8 | 543 | |
ashleymills | 0:5a29fd060ac8 | 544 | case X509_VFY_ERROR_SELF_SIGNED: |
ashleymills | 0:5a29fd060ac8 | 545 | return "Cert is self-signed"; |
ashleymills | 0:5a29fd060ac8 | 546 | |
ashleymills | 0:5a29fd060ac8 | 547 | case X509_VFY_ERROR_INVALID_CHAIN: |
ashleymills | 0:5a29fd060ac8 | 548 | return "Chain is invalid (check order of certs)"; |
ashleymills | 0:5a29fd060ac8 | 549 | |
ashleymills | 0:5a29fd060ac8 | 550 | case X509_VFY_ERROR_UNSUPPORTED_DIGEST: |
ashleymills | 0:5a29fd060ac8 | 551 | return "Unsupported digest"; |
ashleymills | 0:5a29fd060ac8 | 552 | |
ashleymills | 0:5a29fd060ac8 | 553 | case X509_INVALID_PRIV_KEY: |
ashleymills | 0:5a29fd060ac8 | 554 | return "Invalid private key"; |
ashleymills | 0:5a29fd060ac8 | 555 | |
ashleymills | 0:5a29fd060ac8 | 556 | default: |
ashleymills | 0:5a29fd060ac8 | 557 | return "Unknown"; |
ashleymills | 0:5a29fd060ac8 | 558 | } |
ashleymills | 0:5a29fd060ac8 | 559 | } |
ashleymills | 0:5a29fd060ac8 | 560 | #endif /* CONFIG_SSL_FULL_MODE */ |
ashleymills | 0:5a29fd060ac8 | 561 |